Public sync with well-architected-pr
License: Creative Commons Attribution 4.0 International
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
![prmerger-automator[bot] avatar](https://avatars.githubusercontent.com/u/22479449?v=4 "prmerger-automator[bot]")
Hi team,
For Azure App Services (PAAS resources that uses a load balancer) and restricted the default internet access to storage account, could you add "Do not use the public OUTBOUND IP addresses of the PAAS resources (for example: Azure App Services) when configuring your storage account firewall when the resources are in the same region."
https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-faqs?source=recommendations
How do connections to Azure Storage in the same region work?
Having outbound connectivity via the scenarios above isn't necessary to connect to storage in the same region as the VM. Use network security groups (NSGs) as explained above to prevent this behavior. For connectivity to storage in other regions, outbound connectivity is required. The source IP address in the storage diagnostic logs will be an internal provider address, and not the public IP address of your VM when connecting to storage from a VM in the same region. To restrict access to your storage account to VMs in one or more virtual network subnets in the same region, use Virtual Network service endpoints. Don't use your public IP address when configuring your storage account firewall. When service endpoints are configured, you'll see your virtual network private IP address in your storage diagnostic logs and not the internal provider address.
The solution is to configure VNet integration and configure the VNet in the storage firewall.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Defender for Cloud is listed twice and there is not any description for either one. Please remove one and add the appropriate descriptive text.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
[Enter feedback here]
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Below best practice looks like missing a link and have a syntax issue
Make logs and metrics available for [critical internal dependencies]#logs-for-internal-dependencies).
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Quantify application states paragraph is mostly a duplication of previous one. The duplication starts with "The overall health state can be impacted....."
Application Logs paragraph also has several duplicated lines from previous sections. Specifically:
Telemetry correlation should be used to ensure transactions can be mapped through the end-to-end application and critical system flows, as this is vital to root cause analysis (RCA) for failures. Platform level metrics and logs such as CPU percentage, network in/out, and disk operations/sec should be collected from the application to inform a health model and detect/predict issues. This can also help to distinguish between transient and non-transient faults.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
The link about security and compliance blueprints https://servicetrust.microsoft.com/ViewPage/SCCIntroPage points to information about o365 and not to anything about azure blueprints. Please update to provide the appropriate content
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
[Enter feedback here]
Just wanted to find out what is the process to implement the identified policies here. In case leading with ALZ there are set of policies identified as that you could choose. Is there a preference on deployment tool?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Azure NAT Gateway
Azure NAT Gateway is charged at a fixed rate per deployment hour. There’s additional cost for the amount of data transferred.
NAT Gateway resource hours billing begins immediately upon deployment.
Data processing for NAT Gateway is charged per GB of data transferred through NAT Gateway. Data transfer charges for NAT gateway include both outbound and return traffic. Unsolicited inbound traffic does not pass through a NAT gateway by design.
For more information, see.
https://azure.microsoft.com/pricing/details/azure-nat-gateway/
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
These videos were working a few weeks ago, but for some reason today I am seeing the below error when tying to play any video within the well-architected framework documentation:
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Team:
I am looking for a resource to share with a customer on the reliability of Azure. This webpage has multiple video links that are not working and would be a really poor resource to share in it's current state. Can you please assist with this? Please let me know if you have any questions.
https://learn.microsoft.com/en-us/azure/architecture/framework/#reliability
Thank you!
Amy
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Hi,
https://learn.microsoft.com/en-us/azure/architecture/framework/services/networking/azure-application-gateway#policy-definitions
states that no NSG must be assigned to the gateway subnet. We are doing that and have no problems with the gateway.
Our NSG looks like this:
I think this would be a better/safer solution than not applying an NSG at all.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
The checklist contains the item "Use Webjobs", but the "Configuration recommendations" section is missing this item
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
It would be great to see guidance on securely accessing virtual machines in a sustainable way, as we’ve struggled with this.
We have a small number of virtual machines running on a schedule, that require remote access.
These are accessed via a bastion (which appeared to be the most ‘azure’ way of doing so securely) - however the bastion service currently cannot be enabled/disabled or set to run on a schedule, so either we have to manually automate destroying and re-creating the bastion on a schedule (very slow and at the time we investigated certain features could only be enabled in the portal after creation) or just accept that we leave it running 24/7.
Any suggestions would be welcome!
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Hey folks,
There is an issue with the "start assessment" action on this page:
STEP 1: Navigate to this page: https://learn.microsoft.com/en-us/assessments/azure-architecture-review/
STEP 2: Select "Start Assessment" action,
RESULT: Redirected back to this page: https://learn.microsoft.com/en-us/assessments/?mode=pre-assessment&id=azure-architecture-review
Additionally, if I select an active assessment, I am redirected back to this page:
https://learn.microsoft.com/en-us/assessments/?mode=pre-assessment&id=azure-architecture-review
Tried multiple browsers, clearing cache, reloading page and get the same results.
I have an assessment to start on MONDAY, 12/12 .. Please review and advise!
Under the Overview section (https://learn.microsoft.com/en-us/azure/well-architected/#overview), the documentation link (https://learn.microsoft.com/en-us/azure/architecture/framework/) takes you back to the main page (https://learn.microsoft.com/en-us/azure/well-architected/).
This doesn't appear to be the expected behaviour.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
When comparing these two pages, they're basically identical:
I don't understand - what's the rationale here?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The reference for the cloud operating model is broken, redirected to an oops page
Just a quick note:
The autoscaling section is missing Azure Container Apps as a service that offers autoscaling capabilities.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Azure NAT Gateway
Azure NAT Gateway is charged at a fixed rate per deployment hour. There’s additional cost for the amount of data transferred.
NAT Gateway resource hours billing begins immediately upon deployment.
Data processing for NAT Gateway is charged per GB of data transferred through NAT Gateway. Data transfer charges for NAT gateway include both outbound and return traffic. Unsolicited inbound traffic does not pass through a NAT gateway by design.
For more information, see.
https://azure.microsoft.com/pricing/details/azure-nat-gateway/
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
The repo of the SLA estimator referenced in this doc would benefit from adding a few steps on how to set up the App for people not familiar with building React Apps, the links included are not really helpful as they are missing a lot of steps.
I build the App but still the SLA estimator does not seem to work, the search functionality does not work and does not find any service
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
In the first item of the tabled list HERE, "Basic" and "Premium" SKUs are mentioned under the "Recommendation" column, but "Standard" and "Premium" SKUs are described under the "Benefit" column. Either "basic" or "standard" should be used uniformly to avoid confusion.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Hello Geert van Teylingen Product Manager for Azure NetApp Files here.
The article incorrectly states ANF is 3rd-party storage, and puts it in the same bucket as "Silk, Flashgrid Storage".
This is NOT correct. ANF is a Azure native 1st-party storage offering, same as Managed disk, Azure storage etc.
https://azure.microsoft.com/en-us/products/netapp/
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
The suggested Next Step is pointing to the same page you are already in. Following the ToC it should point to Encryption instead.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Relocating this feedback from MicrosoftDocs/architecture-center#2697 into the Azure Well-Architected Framework issue tracker for triage.
On 5-March, 2021, @jnimander opened an issue and said:
The title of the page is "Testing tools" but I see no mention of any testing tools on the page.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Slowloris is still NOT covered by WAF. We are working on Layer7 DDoS support that eventually will tackle Slowloris types of attacks too but as of now we still do not have ETA.
Hence this part should be modified:
https://learn.microsoft.com/en-us/azure/architecture/framework/security/design-network-endpoints#web-application-firewalls-wafs
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
This page uses the term "scale unit" (in the recommendations) without definition. I found it hard to understand with no context. Perhaps make the first occurrence of "scale unit" link to https://docs.microsoft.com/en-us/azure/architecture/framework/mission-critical/mission-critical-application-design#scale-unit-architecture ?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The Service Level Agreement Estimator linked to on this page does not work and has not been updated for some time. Microsoft should maintain and publish the tool themselves.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
[Enter feedback here]
Hi it would be great if there was a Whats New Section like there is for the CAF. many thanks!
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Every page under Deliverable has "Architect's Checklist" as the Next Step instead of the subsequent page under Deliverable.
eg:
1.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Most of the sections provide explicit recommendations about things to do or don't do, but the Threat Detection does not. It just mentions things that could be done, it would be better if this section provided stronger recommendations.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
For the next step is specified "Identity and access management", but there are some other steps inside Governance before going to Identity and Access Management:
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
bjss
In the table under Recommendations, the second "Recommend" item suggests "Create initial traffic that is not part of your load tests 20 minutes prior to the test", but the corresponding "Benefit" item does not suggest how to do this, such as a helpful "For more information, see XXX" link used in the prior table row. Would it make sense to suggest a utility such as iPerf3 or traceroute or ping or something better?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
From this page:
"Microsoft Sentinel and is a native control"
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
The title says "Target and non-functional requirements". I believe it was missing a "Target functional and non-functional requirements".
Also the first paragraph has the same issue.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Including the well architected framework review in this section is helpful. It should be done like this for all of the different services.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
What will be the complexity percentage value and performance percentage value when adding an alternative queue when SQL database fails?
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
There is no guidance on how to spot out the low-carbon regions at azure.
Any hints would be appreciated.
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Azure Well-Architected Framework review - Azure Kubernetes Service (AKS)
Found 404 page not found happened on both highlighted links below.
For context, consider reviewing a reference architecture that reflects these considerations in its design. We recommend that you start with the [baseline architecture for an Azure Kubernetes Service (AKS) cluster]
https://learn.microsoft.com/en-us/architecture/reference-architectures/containers/aks/secure-baseline-aks
and [Microservices architecture on Azure Kubernetes Service].
https://learn.microsoft.com/en-us/architecture/reference-architectures/containers/aks-microservices/aks-microservices
Also review the AKS landing zone accelerator, which provides an architectural approach and reference implementation to prepare landing zone subscriptions for a scalable Azure Kubernetes Service (AKS) cluster.
[Enter feedback here]
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
There is a really nice reference diagram on this page but it looks like it has been screenshotted from some other guidance.
https://learn.microsoft.com/en-us/azure/architecture/framework/security/design-segmentation#reference-model
Can you link to the source of this image so the deeper layers can be looked at in more detail
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Re: Best practice on: "Use SSL/TLS everywhere" - SSL has been considered vulnerable, even TLS v1.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
Good day,
On both of the following pages, the code blocks are labelled as SQL but should be labelled as Kusto instead:
The same mislabelling seems to be present on other pages as well.
Thanks,
J-F
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
Yesterday I was able to complete an architecture review assessment, however, today I wasn't able to see the last answers that I made. I tried to create a new one with the same answers but with no results.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
